Zealot Loads Cryptocurrency Miner on Linux, Windows Machines

A new Apache Struts campaign that researchers named “Zealot” has come to light in recent weeks. Zealot loads Windows or Linux-based machines by installing a miner for Monero, which has become one of the hottest cryptocurrencies used in recent malware attacks.

Zealot uses NSA-linked EternalBlue and EternalSynergy exploits, according to the F5 Labs researchers who discovered the campaign. It targets unsuspecting computer users with a multistaged attack that exploits servers vulnerable to the Jakarta Multipart Parser attack and the DotNetNuke vulnerability.

Zealot is the first Apache Struts campaign using the NSA exploits to be unleashed within internal networks, according to F5 researchers.

The WannaCry and NotPetya ransomware campaigns, as well as the Adylkuzz cryptominer attacks that surfaced this spring scanned the Internet for SMBs to exploit using NSA tools that previously had been unleashed by the Shadow Brokers hacking group, F5 noted.

The firm “discovered the campaign through sensors we constantly monitor and analyze,” said spokesperson Rob Gruening.

Vulnerable Systems

The Zealot campaign exploits the Jakarta Multipart Parser attack [CVE-2017 5638] discovered earlier this year. It sends the Apache Struts exploit via the Content-Type header, according to F5, forcing vulnerable servers to execute Java code.

In Linux systems, a “nohup” shell command runs in the background and executes a spearhead bash script. The script checks to see if the machine is already infected and fetches cryptominer malware called “mule.”

In Windows, the STRUTS payload runs a hidden PowerShell Interpreter that runs a base64 encoded code, according to F5. A downloaded file emerges as a heavily obfuscated script called “scv.ps1” and downloads miner malware. If python 2.7 is not installed on a Windows machine, it downloads a python installer and deploys it, according to F5.

The names and values in the script, such as “Zealot,” “Raven,” “Observer” and “Overlord,” are taken from the popular StarCraft game.

The Zealot attacker made use of the EmpireProject, a PowerShell and Python post-exploitation agent.

DotNetNuke attacks involve the use of a content management system based on ASP.NET, which sends a serialized object through a vulnerable DNNPersonalization cookie, according to F5. The attacks use an ASPNET “ObjectDataProvider” gadget and “ObjectStateFormatter” to embed another object.

A patch was issued in March, confirmed Sally Khudairi, vice president of marketing and publicity for The Apache Software Foundation.

Recommended Precautions

The increased use of open source applications and the growing popularity of cryptocurrency have created more opportunities for bad actors, according to Mike Pittenger, vice president of security strategy at Black Duck Software.

Bitcoin has increased in value from US$800 to more than $19,000 over the past year, he told LinuxInsider.

“Hackers understand that vulnerabilities in widely used open source projects are an easy target,” Pittenger said. “Unlike commercial software, where updates and patches are pushed to users, open source requires users to monitor each project they incorporate into their code for updates.”

Hosts need to be patched as soon as possible to avoid exposure, said Varun Badhwar, chief executive officer at Redlock.

“Organizations need to realize this extends to their public cloud deployments since the shared responsibility model dictates that customers need to solve this issue, not the service provider,” he told LinuxInsider. “Only through the continuous monitoring of hosts will enterprises ensure their environments are secure.”

The wave of attacks involving virtual currencies comes at a time when bitcoins are reaching record highs, noted Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

“However this has been matched in equal measure by an increase of attacks in the cryptocurrency ecosystem,” she told LinuxInsider, “from attacks on unrelated companies to mine cryptocurrency to direct attacks on wallets, initial coin offerings and more.”

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels